Journal of Network and Systems Management

, Volume 27, Issue 1, pp 93–120 | Cite as

Enhancing the Accuracy of Intrusion Detection Systems by Reducing the Rates of False Positives and False Negatives Through Multi-objective Optimization

  • Fatma HachmiEmail author
  • Khadouja Boujenfa
  • Mohamed Limam


Intrusion detection systems (IDSs) are the fundamental parts of any network security infrastructure given their role as layers of defense against hackers. However, IDSs generate frequent instances of false alerts and miss a lot of real attacks that block the normal traffic and threaten the network security. It is not possible to identify a missed intrusion using one IDS, so multiple IDSs are used since they respond differently to the same packet trace and produce different alert sets. Actually, an attack missed by an IDS can be detected by another while inspecting the same network traffic. In this paper, we propose a multi-objective optimization process that aims to identify false negatives and false positives from the sets of alerts generated by multiple IDSs. In the first step, low-level alerts are clustered into meta-alerts to give a better understanding of the output of each IDS. Then, a filtering step is performed having as input the distinct meta-alert sets generated by different IDSs and as output the set of potential false negatives collecting the meta-alerts detected by some IDSs and missed by others. Meta-alerts generated by all IDSs are discarded since they cannot be missed attacks. Later, a clustering inter-IDS step is performed to group together similar meta-alerts generated by different IDSs. This clustering step aims to avoid the redundancy between the alerts generated by more than one IDS. Finally, a binary multi-objective optimization problem is used to detect false negatives and false positives. The proposed method is evaluated using a real network traffic, DARPA 1999 and NSL-KDD data sets. Experimental results show that the proposed process outperforms concurrent methods for false negatives and false positives detection.


Network security Linear optimization Alert clustering Data mining 


  1. 1.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Trans. Inf. Syst. Secu.—TISSEC 6(4), 443–471 (2003)CrossRefGoogle Scholar
  2. 2.
    Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Computer Security Applications Conference, pp. 12–21 (2001)Google Scholar
  3. 3.
    Pietraszek, T.: Using adaptive alert classification to reduce false positives in intrusion detection. In: Proceedings of 7th International Symposium, RAID 2004, Sophia Antipolis, France, pp. 102–124 (2004)Google Scholar
  4. 4.
    Pietraszek, T., Tanner, A.: Data mining and machine learning towards reducing false positives in intrusion detection. Inf. Secur. Tech. Rep. 10(3), 169–183 (2005)CrossRefGoogle Scholar
  5. 5.
    Pietraszek, T.: Alert Classification to Reduce False Positives in Intrusion Detection, Germany (2006)Google Scholar
  6. 6.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1(3), 146–169 (2004)CrossRefGoogle Scholar
  7. 7.
    Khan, L., Awad, M., Thuraisingham, B.: A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J. 16(4), 507–521 (2007)CrossRefGoogle Scholar
  8. 8.
    Spathoulas, G.P., Katsikas, S.K.: Reducing false positives in intrusion detection systems. Comput. Secur. 29(1), 35–44 (2010)CrossRefGoogle Scholar
  9. 9.
    Mansour, N., Chehab, M.I., Faour, A.: Filtering intrusion detection alarms. Clust. Comput. 13(1), 19–29 (2010)CrossRefGoogle Scholar
  10. 10.
    Zhang, Y.Y., Huang, S., Wang, Y.: IDS alert classification model construction using decision support techniques. In: International Conference on Computer Science and Electronics Engineering, pp. 301–305 (2012)Google Scholar
  11. 11.
    Gupta, D., Joshi, P.S., Bhattacharjee, A.K., Mundada, R.S.: IDS alerts classification using knowledge-based evaluation. In: International Conference on Communication Systems and Networks January, 1–8 (2012)Google Scholar
  12. 12.
    Tjhai, G.C., Furnell, S.M., Papadaki, M., Clarke, N.L.: A preliminary two-stage alarm correlation and filtering system using SOM neural network and k-means algorithm. Comput. Secur. 29(6), 712–723 (2010)CrossRefGoogle Scholar
  13. 13.
    Elshoush, H,T., Osman, I.M.: An improved framework for intrusion alert correlation. In: WCE12: Proceedings of the 2012 World Congress on Engineering, pp. 1–6 (2012)Google Scholar
  14. 14.
    Benferhat, S., Boudjelida, A., Tabia, K., Drias, H.: An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge. Int. J. Appl. Intell. 38(4), 520–540 (2013)CrossRefGoogle Scholar
  15. 15.
    Hubballi, N., Suryanarayanan, V.: False alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun. 49, 17 (2014)CrossRefGoogle Scholar
  16. 16.
    Guo, C., Zhou, Y., Ping, Y., Zhang, Z., Liu, G., Yang, Y.: A distance sum-based hybrid method for intrusion detection. Appl. Intell. 40(1), 178–188 (2014)CrossRefGoogle Scholar
  17. 17.
    Elhag, S., Fernndez, A., Bawakid, A., Alshomrani, S., Herrera, F.: On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on intrusion detection systems. Expert Syst. Appl. 42(1), 193–202 (2015)CrossRefGoogle Scholar
  18. 18.
    Lin, W.-C., Ke, S.-W., Tsai, C.-F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl. Based Syst. 78, 13–21 (2015)CrossRefGoogle Scholar
  19. 19.
    Chen, I.-W., Lin, P.-C., Luo, C.-C., Cheng, T.-H., Lin Y.-D., Lai, Y.-C.: Extracting attack sessions from real traffic with intrusion prevention systems, In: Proceeding of IEEE International Conference on Communications (ICC) (2009)Google Scholar
  20. 20.
    Latif-shabgahi, G., Bass, J.M., Bennett, S.: A taxonomy for software voting algorithm used in safety-critical systems. IEEE Trans. Reliab. 53(3), 319–28 (2004)CrossRefGoogle Scholar
  21. 21.
    Parham, B.: Voting algorithms. IEEE Trans. Reliab. 43(4), 617–629 (2002)CrossRefGoogle Scholar
  22. 22.
    Lin, Y.-D., Lai, Y.-C., Ho, C.-Y., Tai, W.-H.: Creditability-based weighted voting for reducing false positives and negatives in intrusion detection. Comput. Secur. 39, 460–474 (2013)CrossRefGoogle Scholar
  23. 23.
    Ho, C.-Y., Lai, Y.-C., Chen, I.-W., Wang, F.-Y., Tai, W.-H.: Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems. IEEE Commun. Mag. 50(3), 146–54 (2012)CrossRefGoogle Scholar
  24. 24.
    Yusof, R., Selamat, S., Sahib, S.: Intrusion alert correlation technique analysis for heterogenous log. Int. J. Comput. Sci. Netw. Secur. 8(9), 132–138 (2008)Google Scholar
  25. 25.
    Dunn, J.C.: A fuzzy relative of the isodata process and its compact well-separated clusters. J. Cybern. 3(3), 3257 (1973)CrossRefzbMATHGoogle Scholar
  26. 26.
    Bishop, C.: Pattern Recognition and Machine Learning. Springer, New York (2006)zbMATHGoogle Scholar
  27. 27.
    Grodzevich, O., Romanko, O.: Performance evaluation of an intelligent CAC and routing framework for multimedia applications in broadband networks normalization. In: Proceedings of the Fields-MITACS Industrial Problems Workshop, Toronto, Ontario (2006)Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  • Fatma Hachmi
    • 1
    Email author
  • Khadouja Boujenfa
    • 1
  • Mohamed Limam
    • 1
    • 2
  1. 1.ISG, University of TunisTunisTunisia
  2. 2.Dhofar UniversitySalalahOman

Personalised recommendations